b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Continued Centralization of the Windows\n                  Environment Would Improve Administration\n                          and Security Efficiencies\n\n\n\n                                      September 23, 2011\n\n                              Reference Number: 2011-20-111\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                 HIGHLIGHTS\n\n\nCONTINUED CENTRALIZATION OF THE                      rather than spending those funds to resolve the\nWINDOWS ENVIRONMENT WOULD                            vulnerability.\nIMPROVE ADMINISTRATION AND                           In addition, the IRS did not ensure that all\nSECURITY EFFICIENCIES                                Windows computers connected to its network\n                                                     were authorized and compliant with security\n                                                     policy, putting the IRS at risk of security\nHighlights                                           breaches. While the IRS had created standards\n                                                     to prevent unauthorized computers from being\nFinal Report issued on                               connected to the network, it had not established\nSeptember 23, 2011                                   a central controlling authority to enforce\n                                                     compliance with its policy.\nHighlights of Reference Number: 2011-20-111\nto the Internal Revenue Service Chief                WHAT TIGTA RECOMMENDED\nTechnology Officer.                                  The Chief Technology Officer should ensure\n                                                     that: 1) an enterprise-wide governing body is\nIMPACT ON TAXPAYERS\n                                                     established to enforce Windows server group\nThe Internal Revenue Service (IRS) operates a        design criteria and ensure unauthorized\nlarge computer network that includes about           Windows server groups are not created;\n6,000 servers and 110,000 workstations using         2) planned shutdown of the noncentralized\nWindows operating systems provided by the            groups of Windows servers is continued or\nMicrosoft Corporation. Proper implementation of      feasibility studies to collapse noncentralized\nMicrosoft Corporation Windows technology             Windows server groups are completed;\nsimplifies system administration and provides        3) standards to prevent computers from being\nmethods to strengthen and consistently secure        connected to the network without proper\ncomputer systems. When IRS operations run            authorization and required compliance\nefficiently and securely, taxpayer dollars and       documentation are implemented\ndata are preserved and protected.                    enterprise-wide; and 4) network scanning tools\n                                                     are utilized to locate unauthorized computers on\nWHY TIGTA DID THE AUDIT                              the IRS network, and adequate procedures are\nThis audit is included in our Fiscal Year 2011       developed and implemented to ensure they are\nAnnual Audit Plan and addresses the major            removed.\nmanagement challenge of Security. The overall        In its response to the report, the IRS agreed with\nobjective of this review was to determine            TIGTA\xe2\x80\x99s recommendations and plans to take\nwhether the IRS has structured its Windows           appropriate corrective actions. However, the\nenvironment to provide efficient and secure          IRS disagreed with TIGTA\xe2\x80\x99s $1.2 million\nmanagement of Windows servers.                       outcome measure related to the maintenance of\n                                                     obsolete computer equipment. TIGTA maintains\nWHAT TIGTA FOUND                                     the appropriateness of the measure.\nThe IRS has not taken actions to continue\nenforcing the centralization of its Windows\nenvironment, which would simplify system\nadministration and achieve consistent identity\nand authentication management that is required\nby Federal regulations and IRS enterprise\narchitecture security principles. TIGTA found\nthree organizations that maintained groups of\nWindows servers outside of the main centralized\ngroup of Windows servers. The IRS spent\n$1.2 million in contract fees to maintain obsolete\ncomputer equipment in one of these groups,\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 23, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Continued Centralization of the Windows\n                             Environment Would Improve Administration and Security Efficiencies\n                             (Audit # 201120010)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) has structured its Windows environment to provide efficient and secure management of\n Windows servers. This audit is included in the Treasury Inspector General for Tax\n Administration Fiscal Year 2011 Annual Audit Plan and addresses the major management\n challenge of Security.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services), at\n (202) 622-5894.\n\x0c                            Continued Centralization of the Windows Environment\n                            Would Improve Administration and Security Efficiencies\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Actions Are Needed to Allow Active Directory to\n          Simplify System Administration................................................................... Page 4\n                    Recommendations 1 and 2: .............................................. Page 11\n\n          Not All Windows Servers and Workstations Connected\n          to the Network Reside in Authorized Domains ............................................ Page 12\n                    Recommendations 3 and 4: .............................................. Page 15\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 20\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 21\n\x0c          Continued Centralization of the Windows Environment\n          Would Improve Administration and Security Efficiencies\n\n\n\n\n                       Abbreviations\n\nBSM             Business Systems Modernization\nHSPD-12         Homeland Security Presidential Directive-12\nIFS             Integrated Financial System\nIRS             Internal Revenue Service\nISRP            Integrated Submission and Remittance Processing\nMITS            Modernization and Information Technology Services\nSAP             Systems, Applications, and Products\nSOI             Statistics of Income\n\x0c                         Continued Centralization of the Windows Environment\n                         Would Improve Administration and Security Efficiencies\n\n\n\n\n                                              Background\n\nThe Internal Revenue Service (IRS) operates a large computer network that includes about\n6,000 servers1 and 110,000 workstations using Windows operating systems provided by the\nMicrosoft Corporation. During Fiscal Year 2005, the IRS\nimplemented Active Directory, a Microsoft Corporation\nsoftware system for administering and securing computer            Proper implementation of\nnetworks. Active Directory manages the identities and            Active  Directory technology\n                                                               simplifies system administration\nrelationships of computing resources that comprise a\n                                                                   and provides methods to\nnetwork. It enables administrators to assign                     strengthen and consistently\nenterprise-wide policies, deploy programs to many                 secure computer systems.\ncomputers, and apply critical updates to an entire\norganization simultaneously from a central, organized,\naccessible database. It simplifies system administration and provides methods to strengthen and\nconsistently secure computer systems. The benefits of Active Directory\xe2\x80\x99s centralized\nmanagement of computers and users include:\n    \xe2\x80\xa2    Central location for network administration and security.\n    \xe2\x80\xa2    The ability to scale up or down easily.\n    \xe2\x80\xa2    Synchronization of directory updates across servers.\n    \xe2\x80\xa2    The ability to design and deploy enterprise monitoring tools and security solutions.\n    \xe2\x80\xa2    Centralized and consistent identity and authentication management.\nThe IRS\xe2\x80\x99s previous network operating system was divided into obsolete and inefficient\nboundaries, expensive to manage, and difficult to consistently secure. Active Directory supports\na centralized approach to system administration that enforces software and security policies\nacross the enterprise.\nA forest is the outermost design element or boundary in an Active Directory implementation. As\na general rule, best practices dictate that the use of multiple forests for a single application or\nbusiness process should be avoided. Ideally, there should be only one forest in an organization\nfor maximum administration, cost, and security efficiencies. Because each forest is administered\nseparately, adding additional forests increases an organization\xe2\x80\x99s management overhead.\n\n\n\n1\n Servers are computers that carry out specific functions. For example, file servers store files, print servers manage\nprinters, and network servers manage network traffic.\n                                                                                                              Page 1\n\x0c                         Continued Centralization of the Windows Environment\n                         Would Improve Administration and Security Efficiencies\n\n\n\nA domain is an administrative partition within a forest to manage objects, such as users, groups,\nand computers. The domain supports a number of core functions related to administration, such\nas authentication and configuration management. Best practices dictate that the number of\ndomains created within a forest should also be minimized in order to minimize administrative\ncosts. Each additional domain in a forest increases management overhead, requires additional\ncomputer hardware, and must have configuration and security policies applied separately.\nDomains are further subdivided into organizational units, which are used to uniformly manage\nadministrative groupings of users, groups, and computers. Security settings are consistently\napplied to all the computers in an organizational unit by linking the appropriate group policy.\nLinking group policy to organizational units provides a centralized means to control and enforce\nconfiguration and security policies. Any computer subsequently added to the organizational unit\nwould automatically receive the appropriate security settings.\nIn Fiscal Year 2006, the Treasury Inspector General for Tax Administration conducted an audit2\non the IRS\xe2\x80\x99s progress to establish Active Directory enterprise-wide in accordance with industry\nbest practices. The IRS Active Directory Team established the IRS main production forest\n(called the DS Domain) and intended that it would serve as the shared resource for centralized\nadministration and access control across the IRS enterprise. The Modernization and Information\nTechnology Services (MITS) Enterprise Operations organization maintains the IRS main\nproduction forest.\nThe IRS Active Directory Team also created a forest design policy which stated that\napplication-specific or group-specific Active Directory forests would not be necessary or\ndesirable as a rule. However, the policy allowed IRS entities that could not delegate enterprise\nadministrative rights for reasons of security (e.g., entities that maintain law enforcement\ninformation) to create their own forests rather than participate in the IRS main production forest.\nAlthough the MITS organization never finalized this design policy, IRS policy states that the\nMITS organization is responsible for establishing and managing the IRS Active Directory\nnetwork topology.3\nThe vast majority of IRS Windows computers and users are included in the IRS main production\nforest, which contains a root domain, a test domain, and one large production domain. At the\ntime of our prior review, additional forests had been created for two IRS organizations (the\nOffice of Chief Counsel and Criminal Investigation) that needed greater security for protection\nof law enforcement information and justified the need for separate forests. A forest called\nBusiness Systems Modernization (BSM) was also created for the Integrated Financial System\n\n\n\n\n2\n  The Enterprise-Wide Implementation of Active Directory Needs Increased Oversight (Reference\nNumber 2006-20-080, dated May 9, 2006).\n3\n  Network topology is the layout pattern of interconnections of the various elements of a computer network.\n                                                                                                              Page 2\n\x0c                        Continued Centralization of the Windows Environment\n                        Would Improve Administration and Security Efficiencies\n\n\n\n(IFS)4 because it was implemented before the IRS was ready to deploy the main production\nforest. However, this system did not meet the IRS\xe2\x80\x99s criteria for establishing a separate forest;\ntherefore, the IRS had agreed that consideration should be given to bringing it into the IRS\xe2\x80\x99s\nmain production forest to achieve maximum efficiencies and security of IRS operations.\nHowever, the BSM forest remains as a separate forest to date.\nWe reported that the IRS should enforce its Active Directory design standards because adding\nunnecessary separate forests would increase the cost of implementing and maintaining Active\nDirectory and would make maintaining consistent security controls more difficult. Because the\nnew Active Directory Team and leadership were already aware of these implementation issues,\nwe made no recommendations to address the multiple forest issue.\nThis review was performed at the Detroit Computing Center in Detroit, Michigan; the Fresno\nCampus5 in Fresno, California; the Ogden Campus in Ogden, Utah; the Office of Chief Counsel\nin San Francisco, California; Criminal Investigation in Florence, Kentucky; and the Enterprise\nOperations organization in Oakland, California, during the period October 2010 through\nJuly 2011. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n4\n  The IFS manages the IRS\xe2\x80\x99s $11.4 billion operating budget for administering tax payments, collection, and\nenforcing tax laws.\n5\n  The data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and\nforward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                          Page 3\n\x0c                          Continued Centralization of the Windows Environment\n                          Would Improve Administration and Security Efficiencies\n\n\n\n\n                                     Results of Review\n\nActions Are Needed to Allow Active Directory to Simplify System\nAdministration\nDespite IRS plans to establish one main shared Windows administrative boundary (i.e., forest) to\nachieve maximum administration, cost, and security efficiencies, Figure 1 shows the IRS\norganizations, in addition to Enterprise Operations organization, that have established their own\nforests for managing their Windows servers. Based on our review of IRS policy, industry best\npractices for Windows environments, and the reasons for which the various forests were\nestablished, we believe five of the eight IRS organizations were justified in establishing separate\nforests.\n   Figure 1: IRS Business Organizations That Maintain Active Directory Forests\n                                     Number of        Number of\n  IRS Business Organization           Forests       Windows Servers           Justified as Separate Forest?\n Enterprise Operations                     1                4,042             Yes; IRS main production forest\n IRS Development Forest                    1                 171               Yes; isolated forest for test and\n                                                                                   development purposes\n Chief Counsel                             2                 449             Yes; contains law enforcement data\n Criminal Investigation                    1                 615             Yes; contains law enforcement data\n Computer Security Incident                1                 76               Yes; contains tools for scanning\n Response Center                                                               and managing vulnerabilities\n                                                                                   that require isolation\n BSM                                       1                 24                              No\n Statistics of Income (SOI)                4                 92                              No\n Integrated Submission and                 9                 210                             No\n Remittance Processing (ISRP)\n TOTAL                                                     5,679\nSource: IRS organizations provided the numbers of Windows servers in their inventories during the course of our\nreview. We provided the conclusion on whether the various forests were justified, based on our audit work.\n\nThree IRS organizations, BSM, SOI, and ISRP, created 14 forests that did not meet MITS\norganization criteria or industry best practices for establishing a separate forest and should be\nmerged into the IRS\xe2\x80\x99s main production forest to achieve maximum administration efficiencies\nand security of IRS operations.\n\n                                                                                                           Page 4\n\x0c                         Continued Centralization of the Windows Environment\n                         Would Improve Administration and Security Efficiencies\n\n\n\nIn addition, users in the BSM, SOI, and ISRP organizations\xe2\x80\x99 forests generally have multiple\nlogon accounts, which impede the IRS from establishing centralized and consistent identity and\nauthentication management in adherence with Homeland Security Presidential Directive 12\n(HSPD-12) smart card6 logon requirements and IRS enterprise architecture security principles.\nHSPD-12, signed by the President on August 27, 2004, established the requirements for a\ncommon identification standard for identity credentials issued by Federal Government\ndepartments and agencies to Federal employees and contractors for gaining physical access to\nFederally controlled facilities and logical access to Federally controlled information systems.\nIRS enterprise architecture security principles call for the identities and authenticators of as\nmany users as possible to be stored and managed in a centralized database. Therefore, solutions\nshould be found to consolidate the BSM, SOI, and ISRP organizations\xe2\x80\x99 forests into the IRS main\nproduction forest and require users to authenticate through it. The IRS main production forest is\nalready enabled for smart card logon, a Federal requirement that all of the IRS must work\ntowards.\nHaving the least number of forests in the IRS environment would achieve the maximum amount\nof administration efficiencies and would result in costs savings by eliminating administrative\nresponsibilities from the 14 forests. The IRS would also incur significant transition and\nimplementation costs as the IRS attempts to get to this target state. As a result, we were unable\nto specifically measure the savings expected to be achieved in the long run, since costs to\ncollapse existing forests may exceed savings in the short term, pushing out the return on\ninvestment.\n\nThe BSM organization forest is obsolete and should be removed\nThe IRS contracted with the IBM Corporation to setup the BSM organization forest as a means\nto authenticate users to the IFS application when it went into production in November 2004,\nbefore the IRS main production forest was implemented. However, once the IRS main\nproduction forest was implemented, efficiencies could have been achieved if BSM organization\nservers were upgraded to Windows 2003, allowing the BSM organization forest to be merged\ninto the IRS main production domain. Currently, the BSM organization forest consists of\nprimarily legacy Windows 2000 servers, which are outdated and no longer supported by the\nMicrosoft Corporation. Patches are no longer issued for these servers, which remain a high\nsecurity risk.\nIn addition, the current method used to authenticate users to the IFS has an access vulnerability\nthat allows users and system administrators to remotely logon using an unsecured alternative\npath. This remote logon access, intended to be used only in emergencies by system\nadministrators when no other access to the system is available, was being used periodically by\n\n\n6\n In the IRS\xe2\x80\x99s target architecture, the user identity and authenticator of each IRS employee will be stored on a smart\ncard and used to access IRS facilities and information systems in accordance with HSPD-12.\n\n                                                                                                              Page 5\n\x0c                        Continued Centralization of the Windows Environment\n                        Would Improve Administration and Security Efficiencies\n\n\n\nusers during their normal course of business. The remote logon software uses unencrypted\ncommunication and allows potential attackers to get access to usernames and passwords by\nlistening on the network, which could lead to unauthorized access to the IFS. Further, the IFS\ndid not have audit logging features enabled, as required by IRS security policy. Therefore, an\nattacker could gain unauthorized access to the IFS and steal or destroy financial records without\nbeing detected. The BSM organization informed us that it recently enabled audit logging\nfeatures for the IFS application to mitigate this risk. Removing the BSM organization forest and\nauthenticating IFS users through the IRS main production forest would eliminate this remote\naccess vulnerability.\nFurther, the BSM organization forest impedes the IRS\xe2\x80\x99s goals for achieving consistent identity\nmanagement user smart card access, in compliance with HSPD-12 requirements, because two\nlogon accounts must be maintained for IFS users in the BSM organization forest and in their\nhome forests.\nThe annual cost for the IBM Corporation contract is currently about $1.2 million. The original\ncontract, made in Fiscal Year 2001, had been extended several times since Fiscal Year 2006;\nhowever, the extensions had not included upgrades to the existing equipment. The Microsoft\nCorporation ended support for Windows 2000 servers in July 2010; consequently, the IRS has\nspent $1.2 million from July 2010 to July 2011 to maintain obsolete equipment rather than\nspending those funds to resolve the vulnerability.\nThe BSM organization staff believes the best and least costly alternative for retiring the BSM\norganization forest is a Systems, Applications, and Products (SAP) in Data Processing Secure\nNetwork Communications7 solution. However, this product has not yet been validated by the\nNational Institute of Standards and Technology as Federal Information Processing Standards\n140-2 compliant. The Federal Information Processing Standards Publication 140-2 specifies the\nsecurity requirements that cryptographic8 technologies must meet as standards for protection of\nsensitive or valuable data within Federal information systems. The National Institutes of\nStandards and Technology validates cryptographic technologies as meeting the standard, and\nprecludes the use of unvalidated cryptographic technologies within Federal systems. The BSM\norganization informed us that it expects the SAP Secure Network Communications solution to\nachieve National Institute of Standards and Technology validation by December 2011, and to\nhave it implemented by March 2012. The IRS approved funding to implement this solution in\nJuly 2011.\n\n\n\n7\n  SAP systems include basic security measures, which include the SAP authorization concept and user\nauthentication based on passwords. With Secure Network Communications, SAP customers can extend SAP system\nsecurity beyond these basic measures to include the additional protection offered by stronger authentication\nmethods, by encryption, and by single logon.\n8\n  Cryptography refers to the transformation of ordinary text (plaintext) into coded form (ciphertext) by the use of\nencryption formulas and algothirims.\n                                                                                                           Page 6\n\x0c                     Continued Centralization of the Windows Environment\n                     Would Improve Administration and Security Efficiencies\n\n\n\nThe effect to the IRS of allowing this separate BSM organization forest to remain includes:\n   \xe2\x80\xa2   Increased security vulnerabilities because patches are no longer issued for Windows 2000\n       servers.\n   \xe2\x80\xa2   The existing vulnerabilities in the legacy authentication method.\n   \xe2\x80\xa2   The inability to leverage the centralized administration of configuration and access\n       controls offered by the IRS main production domain.\n   \xe2\x80\xa2   The dual logon environment impeding the IRS\xe2\x80\x99s goal of consistent identity management\n       for complying with HSPD-12 requirements and IRS enterprise architecture security\n       principles.\n\nThe four SOI organization forests are not needed to achieve stated goals of\nsecurity and availability\nThe SOI organization collects, analyzes, and disseminates information on Federal taxation to\nvarious organizations engaged in economic and financial analysis and to the general public. The\nIRS Chief Technology Officer authorized the SOI organization to manage its own budget,\ninfrastructure, and operations for the stated purpose of providing adequate security and\navailability of the statistical data it processes. When the SOI organization upgraded from its\nmultiple Windows NT domain structure in January 2007, it installed a similar Active Directory\nconfiguration consisting of four separate forests, called SOIWORLD, SOINET, SOIPIN, and\nLIN. However, an implementation of four forests was not needed to achieve SOI organization\ngoals of access control, data protection, and data availability. Rather, SOI organization goals for\nsecurity and availability could be better achieved within the IRS main production forest.\nSOI organization officials believe the four forests were needed to provide for the security\nprinciple of separation of duties. SOI organization officials indicated that if they were to\ncollapse the four forests into one forest, several administrators would have access to all data\nwithin the entire SOI organization. They also stated that, because the administrators of each of\nthe four forests only have administrative privileges over their respective forests, they can\neliminate potential unauthorized access to sensitive data maintained in the other forests. In\naddition, the users of the different forests are also maintained in separated or segmented\npopulations throughout the four-forest design. For example, the users of the LIN forest are\nmainly auditors, while the users of the SOIWORLD forest are comprised mostly of researchers.\nSOI organization officials believe this supports a clear and unambiguous need for separation of\nprivileges within the SOI organization.\nSeparate forests are neither necessary nor sufficient to protect data from unauthorized access.\nRather, sensitive resources should be protected with multiple levels of access controls with role\nseparation implemented to ensure that an administrator with permission to manage one level of\naccess control does not have permission to manage all levels. Rather than multiple forests,\n\n                                                                                              Page 7\n\x0c                     Continued Centralization of the Windows Environment\n                     Would Improve Administration and Security Efficiencies\n\n\n\ndomains within the common IRS Active Directory forest should be created to contain SOI\norganization resources, provide distinct administrative boundaries, and allow for customization\nof SOI organization-specific requirements while still adhering to IRS enterprise architecture\nsecurity principles.\nFurther, SOI organization users have dual logon accounts, which create problems for the IRS\nmoving towards an HSPD-12 smart card environment. SOI organization users possess an\naccount in an SOI organization forest, to which they log on for performing their SOI\norganization duties, and an account in the IRS main production domain to which they log on for\nusing common IRS services such as email and other service-wide resources. In order to advance\nthe goal of consistent identity management and to maximize the value of the IRS Active\nDirectory infrastructure, the SOI organization users\xe2\x80\x99 IRS main production logon credentials\nshould be used as their sole Active Directory logon credentials for accessing SOI organization\nresources.\nThe SOI organization\xe2\x80\x99s implementation of four forests has resulted in inefficiencies relating to\nextra equipment, extra staff and man-hours to manage the additional equipment, the inability to\ntake advantage of centralized management processes and technical solutions, and failure to meet\nthe principles of the IRS enterprise architecture.\n\nThe nine ISRP organization forests cause management inefficiencies and\nunnecessary equipment\nThe ISRP application transcribes and formats data from paper tax returns and related documents\nfor export to other IRS systems by key entry operators. It also captures check images for\narchiving. The IRS contracts with Lockheed Martin to manage the ISRP organization system\ncode, though the IRS owns and manages the computer equipment and network that the ISRP\norganization system uses to perform its daily operations. In Fiscal Year 2003, when the ISRP\norganization converted from Windows NT to Active Directory, ISRP organization system\nadministrators set up separate production forests at each of its six geographical sites where ISRP\napplication processing occurs, generally to mirror how the former Windows NT domains were\nset up. They also implemented three forests for development, testing, and training. The ISRP\norganization staff stated that security would have to change if they went to a different\nconfiguration and, therefore, they stayed as close as possible to the current configuration.\nWhile we agree that development and testing should generally be separated from a production\nenvironment, the ISRP organization did not utilize the administration efficiencies offered by\nconsolidating its Active Directory infrastructure where possible. Minimizing the number of\nforests as much as possible would have allowed administration and security control from a\ncentralized location and potentially realized significant savings by reducing duplicate support\nrequirements. MITS organization staff informed us that the ISRP organization Windows Active\nDirectory environment was designed by the ISRP contractors without consultation with the\nMITS organization staff who were charged with implementing the IRS\xe2\x80\x99s main production forest\n\n                                                                                            Page 8\n\x0c                         Continued Centralization of the Windows Environment\n                         Would Improve Administration and Security Efficiencies\n\n\n\nin Fiscal Year 2005. In addition, the ISRP contractors have not ensured the ISRP Windows\nActive Directory environment has remained valid over time. Further, ISRP organization users\nhave dual logon accounts, one for accessing the ISRP application and another for accessing the\nIRS main production forest, which creates problems for the IRS moving towards an HSPD-12\nsmart card environment and centralized and consistent identity and authentication management\nin adherence to IRS enterprise architecture security principles.\nIn addition, we identified inefficiencies related to network equipment at two ISRP production\nsites.\n    \xe2\x80\xa2   Enterprise Networks organization staff at one of the six ISRP organization production\n        sites described unneeded layers of ISRP routers and switches that provided an appearance\n        of a separate ISRP network, although no real distinction between the ISRP network and\n        the IRS network exists (i.e., they are one and the same). The Enterprise Networks\n        organization staff took action to upgrade the ISRP routers and switches at that site\n        because they often caused downtime and were noncompliant with IRS configuration\n        requirements. At that time, the Enterprise Networks organization staff eliminated one\n        router that was unnecessary. The Enterprise Networks organization staff believed this\n        action was necessary because the ISRP vendor would not pay for the upgrade of\n        equipment needed to meet IRS security requirements. This removal resulted in less\n        downtime and the ability for the IRS to monitor that network components remain\n        compliant with IRS standards.\n        The Enterprise Networks organization staff advised us that the ISRP vendor also recently\n        enabled Dynamic Host Configuration Protocol9 services on two ISRP servers, which was\n        unnecessary since the ISRP organization could use the IRS\xe2\x80\x99s Dynamic Host\n        Configuration Protocol servers. The Enterprise Networks organization staff stated that,\n        in general, the ISRP vendor claims it needs control over the network and its components\n        in order to guarantee its performance under its contract. The Enterprise Networks\n        organization staff believed efficiencies could be realized if local IRS staff were allowed\n        to support and manage the network components at the other ISRP organization sites.\n    \xe2\x80\xa2   Enterprise Networks organization staff at another ISRP organization production site\n        advised us that ISRP organization routers and switches there have also introduced\n        unnecessary complications to the network infrastructure, as well as introducing additional\n        points of failure. The Enterprise Networks organization staff\xe2\x80\x99s professional opinion was\n        that the ISRP organization routers are unnecessary. The Enterprise Networks\n        organization staff indicated that the switches are necessary but could easily be replaced\n\n\n9\n  A protocol for assigning dynamic Internet Protocol addresses to devices on a network. Dynamic addressing\nsimplifies network administration because the software keeps track of Internet Protocol addresses rather than\nrequiring an administrator to manage the task.\n                                                                                                            Page 9\n\x0c                        Continued Centralization of the Windows Environment\n                        Would Improve Administration and Security Efficiencies\n\n\n\n        by IRS switches. This replacement would serve to flatten the network, improve\n        management, and provide local technicians the ability to troubleshoot.\n        The Enterprise Networks organization staff stated that it currently has no view into the\n        ISRP organization network, including its routers and switches, or access to these devices.\n        As a result, they are unable to assist the user community when trouble occurs. However,\n        the Enterprise Networks organization staff has the responsibility to replace faulty routers\n        and/or switches when ISRP organization contractors determine replacements are needed.\n        This situation requires Enterprise Networks organization staff to rely on ISRP\n        organization contractors to have completed thorough and competent troubleshooting\n        before determining a replacement is needed. Further, the Enterprise Networks\n        organization staff informed us that ISRP organization routers and switches have also\n        caused additional, and unnecessary, complications to the workstation configurations. The\n        Enterprise Networks organization staff stated that the ISRP organization network design\n        is faulty in that it requires all workstations to be manually configured, resulting in a\n        poorly designed version of load balancing.10 The Enterprise Networks organization staff\n        believed the ISRP organization should be using Dynamic Host Configuration Protocol to\n        configure network parameters on its workstations, alleviating the need to do this work\n        manually that is resource intensive.\nThe ISRP organization Program Office staff advised us that the ISRP organization contract\nexpires in Fiscal Year 2012. The IRS should consider implementing changes to the ISRP\norganization contract that would allow the IRS to improve on the current administration and\nnetwork inefficiencies caused by operating an application across multiple forests.\nWe believe the unnecessary separate BSM, SOI, and ISRP organizations\xe2\x80\x99 forests exist because\nthe IRS did not finalize its policy for forest design nor enforce its Active Directory network\ntopology in compliance with its enterprise architecture security principles.\nInefficiencies related to extra forests include the installation of extra equipment, additional staff\nrequired to manage the excess infrastructure, and the inability to centrally assign enterprise-wide\npolicies and apply critical updates, which impedes the IRS from achieving its goal of consistent\nidentity management and HSPD-12 requirements. Consolidating unnecessary forests would\nallow administration and security control from a centralized location and potentially realize\nsignificant savings by reducing duplicate support requirements.\n\n\n\n\n10\n  Load balancing is a computer networking methodology to distribute workload across multiple computers or other\nresources to achieve optimal resource utilization, maximize throughput, minimize response time, and avoid\noverload.\n                                                                                                       Page 10\n\x0c                     Continued Centralization of the Windows Environment\n                     Would Improve Administration and Security Efficiencies\n\n\n\nRecommendations\nThe Chief Technology Officer should ensure that:\nRecommendation 1: The MITS organization establishes an enterprise-wide Active Directory\ngoverning body that finalizes and enforces IRS Active Directory forest design criteria, develops\nstandards, oversees trusts, and ensures unauthorized forests or domains are not implemented in\nthe IRS.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The MITS\n       organization will establish an Active Directory governing body to finalize and enforce\n       IRS Active Directory forest design criteria, standards, oversee trusts, and ensure\n       unauthorized forests or domains are not implemented in the IRS.\nRecommendation 2: The planned shutdown of the BSM forest is completed once the SAP\nSecure Network Communications solution is in place. The SOI and ISRP organizations should\nwork with the MITS organization to perform a feasibility study to determine if the collapse of the\nSOI and ISRP forests is practical and in the best interest of the IRS. If deemed in the best\ninterest of the IRS, the MITS organization should prepare plans with funding requirements and\npotential completion dates to accomplish the collapse of one or both of these organizations\xe2\x80\x99\nforests.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The MITS\n       organization will complete the shutdown of the BSM forest after the deployment of the\n       SAP Secure Network Communications solution is in place. Additionally, the MITS\n       organization will work with the ISRP and SOI organizations to study the costs, staffing,\n       and technical issues involved in the collapse of these forests into the IRS main Active\n       Directory forest. If it is deemed practical and in the best interest of the IRS and the\n       business unit to collapse the forests, the MITS organization will work with the ISRP and\n       SOI organizations to determine the project(s) and timeline to accomplish the work within\n       overall project priorities and available funding. As it relates to the SOI forest, the IRS\n       will address specific guidelines for Federal Statistical Agencies to protect the\n       confidentiality of the data as set forth in the Confidential Information Protection and\n       Statistical Efficiency Act, which was signed into law under Title V of the E-Government\n       Act of 2002.\n       Office of Audit Comment: The IRS did not agree with the outcome measure (see\n       Appendix IV) relating to the expenditure of $1,200,000 in contract fees to maintain\n       obsolete computer equipment in the BSM forest. In its response, the IRS stated that the\n       computer equipment was required to support critical financial and accounting\n       management functions and that these functions would have stopped had the monies not\n       been spent. The IRS agreed that the computer equipment needs to be updated, and a plan\n       has been formulated to do so in Fiscal Year 2012. However, we contend that the IRS\n\n                                                                                          Page 11\n\x0c                    Continued Centralization of the Windows Environment\n                    Would Improve Administration and Security Efficiencies\n\n\n\n       should have been aware of the July 2010 date when Microsoft ended its support for these\n       types of computers, and that the IRS did not act in due diligence to formulate an update\n       plan prior to that date in order to resolve the vulnerability caused by these obsolete\n       computers. Therefore, the IRS\xe2\x80\x99s expenditure of funds to maintain the obsolete computer\n       equipment that put critical functions at risk rather than spending those funds to resolve\n       the vulnerability was an inefficient use of resources.\n\nNot All Windows Servers and Workstations Connected to the Network\nReside in Authorized Domains\nIRS policy requires that all computers connected to the IRS network reside in an approved\ndomain, except for public web servers. Domains are groups of computers on a network within a\nforest that are administered as a unit with common rules and procedures. Managing Windows\nservers in Active Directory domains offers a centralized and efficient method for applying and\nmanaging security controls on all computers residing in the domain.\nIn December 2008, the MITS Enterprise Operations organization created a standard in order to\nprevent servers from being connected to the network without the proper authorization and\nrequired compliance documentation, as well as prevent unauthorized domains from being\ncreated. The Associate Chief Information Officer, Enterprise Operations organization, is\nresponsible for establishing, maintaining, and enforcing this standard for all Windows servers\nconnected to the IRS network. This standard authorizes the identification and reporting to the\nAssociate Chief Information Officer (or designee), Enterprise Operations organization, and\napplicable business owners of any noncompliant server if one or more of the following\nconditions apply:\n   1. Is identified as operating on the IRS network without being documented as a part of an\n      IRS general support system, or having its own security certification, or otherwise being\n      authorized/certified to operate by the MITS Cybersecurity organization.\n   2. Is not in compliance with the security settings defined in the Internal Revenue Manual\n      and Enterprise Operations organization security configuration standard as appropriate for\n      the server\xe2\x80\x99s operating system.\n   3. Does not have the required server information entered in the Enterprise Operations Server\n      Database, including an organization designated as the server owner, the domain to which\n      the server belongs (or will belong), the general support system to which the server\n      belongs, and a point of contact for the server.\n   4. Is a member of an unauthorized domain. Servers in unauthorized domains, as well as the\n      domains themselves, are subject to removal from the network.\n\n\n\n                                                                                         Page 12\n\x0c                        Continued Centralization of the Windows Environment\n                        Would Improve Administration and Security Efficiencies\n\n\n\nBased on network scans performed by the IRS in November 2010, the Business DNA11 asset\ndiscovery tool identified 772 Windows servers and 238 workstations, in a total of\n71 uniquely named domains or groups, residing on the IRS network but outside of the\nadministrative boundaries established by the Enterprise Operations, Chief Counsel, Criminal\nInvestigation, Computer Security Incident Response Center, SOI, BSM, and ISRP organizations.\nThe Business DNA scanning tool identifies computers and other devices that are active on the\nnetwork at the point in time the scan occurs. Figure 2 provides a list of unidentified domains or\ngroups with servers and/or workstations on the IRS network. This list may not be all-inclusive\nof servers and workstations residing outside of recognized domains.\n                      Figure 2: List of Unidentified Domains or Groups\n                      With Servers and/or Workstations on the Network\n\n                             Number of Windows                                         Number of Windows\n  Unidentified                                               Unidentified\nDomains or Groups          Servers     Workstations        Domains or Groups          Servers     Workstations\nADCW2K                         2              0           METRO1                         4               0\nADPOC                          1              0           METRO2                         5               0\nALARMPOINT                     4              0           METRO3                         1               0\nAMSHLD                         0              1           MSHOME                         0               1\nANDOVERSEC                     2              0           MTCNC                          0               1\nASPECTCC                      83              0           MTCSBX                         2               0\nBLN004-WG                      4              0           NC                             0               1\nCIO                            1              0           NEW                            0               1\nCLEARPATH                      2              0           PEDRO                          0               1\nDALLAS-LAB                     1              0           PSC003                         4               0\nDEVNET                         1              1           PUE75A                         2               0\nDTS                           37              0           RESEARCH                       7               0\nEA                             3              0           ROADMAP                        7               0\nENCIL                          1              0           ROADMAP2                       3               1\nEPPM                           3              0           SBX2                           1               0\nGEOIRS                       233              3           SBX2.PRIME.IRS.GOV             1               0\nIE-LAB                         1              0           SECURITY                       1               7\nINTERVOICE                     1              0           T                              2               0\n\n\n\n11\n  Business DNA is an asset discovery tool that provides detailed hardware and software configuration information\nfor all devices connected to the network. The Department of the Treasury recently selected Business DNA as the\nenterprise tool for all bureaus to use in information technology asset discovery, inventory, and reporting.\n                                                                                                        Page 13\n\x0c                        Continued Centralization of the Windows Environment\n                        Would Improve Administration and Security Efficiencies\n\n\n\n\n                             Number of Windows                                         Number of Windows\n  Unidentified                                               Unidentified\nDomains or Groups          Servers     Workstations        Domains or Groups          Servers    Workstations\nINTRUSHIELD                    1              0           TACACS-EXT                     2               0\nIPT                           16              1          TACACS-INT                      3               0\nIPTELEPHONY                    1              0          TEMP                            1               0\nIRS                           16              3          TEST                            0               1\nIRS_WORKGROUP                  1              0          TMPWORK                         3               6\nIRSERAP                        2              0          VDE                             1               0\nIRSIPTELEPHONY                 5              4          VELOCITY                        0               1\nIRS-IPTELEPHONY                9              0          VGNOC                           2               0\nIRS-IPTELEPHONYI               5              0          VOIP                            7               2\nIRSKCSC                        2              0          VVV                             0               1\nIRSODN001BERBEEI               1              0          W                               0               1\nIRSOGDENCCM                    1              0          WG                              0               3\nIRSOGDENIPT                    1              0          WORK                            0               1\nIRS-TELEPHONY                  2              0          WORKGROUP                      250            193\nLAB_TEST                       1              0          WORKGROUPX                      2               0\nLMSB                           0              1          WRKGR                           0               1\nMDI                            7              0          WW                              0               1\nMDI-3166                      10              0                                       Servers     Workstations\nTOTALS                                                                                  772            238\nSource: Results of Business DNA network scan the IRS performed in November 2010.\n\nWe selected a judgmental sample of 12 servers from this list and requested the Enterprise\nOperations organization determine whether or not the domains or groups they were residing in\nwere authorized. Of these 12 servers, the Enterprise Operations organization did not recognize\nthe domain or group name for 7 of them nor could it determine the owner or purpose of these\nservers. The server information had not been entered in the Enterprise Operations organization\nServer Database, and none had the Tivoli\xc2\xae12 software installed. At the time Enterprise\nOperations organization performed its research on these servers in April 2011, all but one of the\nseven servers were still active on the IRS network.\n\n\n\n\n12\n  Tivoli is a registered trademark owned by the IBM Corporation. The implementation of Tivoli is part of the IRS\nEnterprise Systems Management project encompassing helpdesk operations, network and systems management,\nsoftware distribution, asset management, and performance measures analysis and reporting.\n                                                                                                        Page 14\n\x0c                     Continued Centralization of the Windows Environment\n                     Would Improve Administration and Security Efficiencies\n\n\n\nEnterprise Operations organization officials informed us that valid reasons may exist for some of\nthese domains and groups, but it would take massive man hours to research them to make this\ndetermination. Valid reasons for keeping computers in separate IRS forests and domains could\ninclude, for example, the need to isolate computers that protect the IRS from internet attacks, or\nto contain computers that are too old to operate in an Active Directory environment. Enterprise\nOperations organization officials also stated that while they created standards to prevent\nunauthorized domains from being created and servers from being connected to the network\nwithout the proper authorization, no central controlling authority over domain creation or\napproval exists at the IRS to ensure compliance with Enterprise Operations organization\nstandards.\nA lack of control over domain creation defeats the efficiencies the MITS organization intended\nto achieve when implementing one shared administrative boundary for the majority of IRS\nresources. In addition, if not part of an approved domain, these servers and workstations may be\nat increased risk of noncompliance with IRS security policy, putting the IRS at risk of security\nbreaches.\n\nRecommendations\nThe Chief Technology Officer should ensure that:\nRecommendation 3: Standards and processes are developed and implemented\nenterprise-wide to prevent servers and workstations from being connected to the network\nwithout the proper authorization and required compliance documentation.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n       ensure that standards and processes are developed and implemented enterprise-wide to\n       prevent servers and workstations from being connected to the network without proper\n       authorization and required compliance documentation.\nRecommendation 4: Scanning tools, such as the Business DNA, are utilized to locate\nunauthorized servers, workstations, and domains on the IRS network, and adequate procedures\nare developed and implemented to ensure they are removed.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n       use automated scanning tools for asset identification and has been in the process of\n       implementing this capability, even prior to this audit. The IRS will also ensure that IRS\n       policy addresses the issue of proper handling and potential removal of any unauthorized\n       assets found, regardless of how they are discovered.\n\n\n\n\n                                                                                          Page 15\n\x0c                           Continued Centralization of the Windows Environment\n                           Would Improve Administration and Security Efficiencies\n\n\n\n                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS has structured its\nWindows environment to provide efficient and secure management of Windows servers. To\naccomplish the objective, we:\nI.         Evaluated the IRS Active Directory environment to determine whether its structure\n           provided efficient and secure management of Windows servers.\n           A. Determined whether the IRS effectively controlled the creation of Active Directory\n              forests1 in its Windows environment.\n               1. Obtained IRS Windows servers inventory and forest design data from the IRS\n                  personnel responsible for managing them.\n               2. Documented the IRS Windows environment, including the number of forests,\n                  domains, and Windows servers.\n           B. Interviewed IRS personnel responsible for currently known forests and made a\n              conclusion on whether each met IRS criteria for establishing a forest.\n               1. Determined whether each forest was considered appropriate by the MITS\n                  Enterprise Services, System Architecture and Engineering organization.\n               2. Determined whether each forest met IRS criteria for establishing a separate forest.\n           C. Obtained Business DNA scan data and analyzed the additional forests, domains, and\n              servers it identified.\n               1. Interviewed IRS staff to determine whether the additional forests, domains, and\n                  servers identified by the Business DNA scan data were authorized.\n               2. Selected a sample of 12 servers from the population of 772 servers that the\n                  Business DNA scan identified that were not included in the inventory listings of\n                  servers provided by the IRS. We judgmentally selected the 12 servers due to time\n                  constraints and the time-intensive research required to determine whether or not\n                  the forests, domains, or groups they were residing in were authorized.\n               3. Determined the causes that allowed the creation of any unauthorized forests,\n                  domains, and servers.\n\n\n1\n    A forest is the outermost design element or boundary in an Active Directory.\n                                                                                             Page 16\n\x0c                    Continued Centralization of the Windows Environment\n                    Would Improve Administration and Security Efficiencies\n\n\n\n           4. Determined the effects any unauthorized forests, domains, and servers had on the\n              IRS Windows environment.\n       D. Determined whether the IRS had adequate policy for controlling the creation of\n          Windows forests.\n           1. Obtained current IRS policy for the creation of forests and determined whether it\n              was adequate to control the creation of unnecessary forests.\n           2. Interviewed IRS staff to determine why the IRS policy for the creation of forests\n              was not complete or adequate.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: IRS policy and procedures for Windows\nserver security and creation of Active Directory infrastructure. We evaluated these controls by\ninterviewing IRS personnel, reviewing Active Directory design documents, obtaining Windows\nserver inventories, and analyzing network scan data.\n\n\n\n\n                                                                                         Page 17\n\x0c                   Continued Centralization of the Windows Environment\n                   Would Improve Administration and Security Efficiencies\n\n\n\n                                                                             Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security & Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nGeorge Franklin, Senior Auditor\nMidori Ohno, Senior Auditor\nAshley Weaver, Auditor\nElton Jewell, Information Technology Specialist\n\n\n\n\n                                                                                        Page 18\n\x0c                   Continued Centralization of the Windows Environment\n                   Would Improve Administration and Security Efficiencies\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nDirector, Office of Research, Analysis and Statistics RAS\nChief Counsel CC\nChief, Criminal Investigation SE:CI\nNational Taxpayer Advocate\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nDirector, Statistics of Income RAS:S\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OSCFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                             Page 19\n\x0c                        Continued Centralization of the Windows Environment\n                        Would Improve Administration and Security Efficiencies\n\n\n\n                                                                                              Appendix IV\n\n                                     Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Inefficient Use of Resources \xe2\x80\x93 Potential; $1,200,000 in contract fees (see page 4).\n\nMethodology Used to Measure the Reported Benefit:\nFrom July 2010 to July 2011, the IRS spent $1,200,000 on a contract with the IBM Corporation\nto provide computer equipment that serves to authenticate users to the IFS1 application. The\ncomputers are primarily Windows 2000 servers. The Microsoft Corporation ended support for\nWindows 2000 servers in July 2010 and no longer issues patches to protect the servers from\nknown vulnerabilities. Consequently, the IRS has spent $1,200,000 to maintain obsolete servers\nthat are a high security risk.\n\n\n\n\n1\n The IFS manages the IRS\xe2\x80\x99s $11.4 billion operating budget for administering tax payments, collection, and\nenforcing tax laws.\n                                                                                                        Page 20\n\x0c      Continued Centralization of the Windows Environment\n      Would Improve Administration and Security Efficiencies\n\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 21\n\x0cContinued Centralization of the Windows Environment\nWould Improve Administration and Security Efficiencies\n\n\n\n\n                                                     Page 22\n\x0cContinued Centralization of the Windows Environment\nWould Improve Administration and Security Efficiencies\n\n\n\n\n                                                     Page 23\n\x0cContinued Centralization of the Windows Environment\nWould Improve Administration and Security Efficiencies\n\n\n\n\n                                                     Page 24\n\x0c'